Re: Microsoft announce most secure OS on the planet

[Gadi Evron <ge () linuxbox org>]

David Harley wrote:
> > Facinating. Think of how secure DOS and CP/M are by this standard.
>
> My daughter had an exquisitely safe laptop made by Vtech.

Rich started this by saying that he believes some software is weaker, 
and some is percieved as weaker. And that popularity has nothing to do 
with security.

I agree with his first two points, I disagree with the other two.

While there are always security vulnerabilities to be found, someone has 
to look for them. If your goal is stealth, you will likely develop a 
0day, or try to hide in some fashion.

But let's be honest folks, very popular software and especially 
mono-culture software (Windows, Adobe Acrobat, Cisco IOS, etc.) have a 
lot of risk attached to them being famous.

Consider the early days of Internet Explorer vs. Mozilla. While Mozilla 
has better code in my opinion (anybody has better code than IE!), it was 
targeted significantly less than IE. Then, when it became popular it 
started getting targeted much more often.

The same goes with the Mac and OS X. As the Mac becomes more popular it 
becomes a rich target for the mass exploitation of worms, etc. and 
criminals start targeting it. I have often claimed that the Mac's day is 
coming, and it's almost fully here.

Adam O'Donnell has a very interesting game-theory based presentation on 
the Mac angle.

So yes, security by obscurity does work, folks. Once again, it does. But 
it doesn't hold water as the only strategy.

Saying that a software's popularity has no impact on how often it is 
exploited by the mass-exploitation devices is inane.

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.